Some Security is Better Than None

Streetwisz · 2018-02-16 07:49:10 UTC

As much as I really love Monzo and it’s my main bank, and go to banking App which keeps getting better. I feel we should use our banking pin or be able to create our own. I get so worried if I loss or misplaced my phone someone could gain access to our banking info to steal our IDs What do other users think? All other banking Apps have some sort of security to log in, me personally would feel safer.

terryharman · 2018-02-16 07:27:29 UTC

I believe you can already use Touch ID to get into the app. To be fair though if I was to loose my phone it has a passcode on it so I’m not too worried and leave the feature off.

Streetwisz · 2018-02-16 07:40:42 UTC

Hi, Terry, I am very new to Monzo and still finding my feet, I have looked all over the App and I can not find Touch ID. Help

terryharman · 2018-02-16 07:45:27 UTC

I’m not too sure on Android but on iOS, open the app, click on account, then settings, then there is an option to ‘require Touch ID to unlock app’ swipe that to on

SC95 · 2018-02-16 07:52:35 UTC

I think you’re on Android. If so, be assured it’s being worked on and shouldn’t be too long.

A smiler thread below;

Streetwisz · 2018-02-16 08:24:58 UTC

Hi Terry,
Yes I am an Android user can’t stand Apple any more, another user on here has told me its a feature coming soon to Android.
Thanks for your help
regards
Iain

iptoriga · 2018-02-16 11:03:22 UTC

Do you have your phone currently locking with a pin / password / fingerprint, in the meantime?

BethS · 2018-02-16 17:39:19 UTC

It definitely won’t be long until we have a way for you to lock your Android app with a fingerprint.

Streetwisz · 2018-02-16 22:38:32 UTC

Hi Beth, thanks for the prompt reply, the panic is over I signed up with Bitdefender for mobiles security and they allow you to lock Apps with a pin and to my surprise including Monzo so now I want to use Monzo I have to put a 4 digit pin so I am happy now, finger print ID would be no good for me since I have ME and I get chapped skin and even over the finger print.
regards
Iain

anon44204028 · 2018-02-16 22:47:48 UTC

Yes. Despite users mentioning medical conditions affecting ability to use fingerprint readers, Monzo keep going on about securing the app with fingerprints and when pressed for an alternative option such as PIN or password are either non-committal or indicate this will not be an option. Having to rely on 3rd party software to make up for a failing in Monzo software is not ideal.

BethS · 2018-02-16 23:01:11 UTC

I’m sorry that your usability is affected due to your circumstances.

We’re trying to break down barriers one by one so I’m going to feed this back to our product team.

I am glad you found a way to secure it for yourself, even though as @anon44204028 advised that is not always ideal for everyone.

Monzilla · 2018-02-16 23:07:11 UTC

There are reviews of some banking apps here, and most of them offer a variety of secure login options to give the user a choice of preference.

GalaxyMergirl · 2018-02-16 23:27:57 UTC

The Monzo login is quite secure as long as you trust the email itself. Email and phone need to be trusted or your banking app is far from the greatest of your worries.

The app is secure it inherits that from your phone being secure, just like Android Pay does (which you can actually lose money with…)

simonb · 2018-02-18 16:02:10 UTC

I’m sorry you feel this way, however the explanation is actually a simple one

Firstly, fingerprint unlock is the preferred app unlock method of choice for the vast majority of users. The amount of requests we get for an alternate solution on iOS, where we’ve had TouchID unlocking for a long time, is tiny.

This is not unique to our app, many apps that have fingerprint based authentication don’t have alternative options.

Secondly, fingerprint unlock on Android is entirely client-based, whereas implementing a PIN method requires significant work on our back end, too. That obviously makes it a larger project requiring more resources.

That doesn’t mean we won’t do it - it’s just that we’ve not scoped it out yet and we’d like to look at the data we get from shipping fingerprint unlock first - if 99% of compatible Android devices choose to use the feature, it’s clearly a less pressing issue than if barely anybody elects to use it.

Fingerprint unlock, as it’s coming, is something that will be helpful to many users. It won’t be the perfect solution for every single person, but like everything will iterate and improve over time

anon44204028 · 2018-02-18 16:03:48 UTC

Thanks for your usual excellent reply.

anon23935806 · 2018-02-18 17:37:23 UTC

It’s funny to see people finding various “solutions” but still being stubborn enough not to realise that an attacker getting access to your unlocked phone can leave malware behind that will allow them unrestricted remote access to the phone, bypassing any stupid “security” you might think of.

Here’s some proof - Android-based banking malware, specifically designed to steal details from about 232 different banking apps.

Called Android.banker.A2f8a, researchers at Quick Heal Security Labs said that the malware has targeted more than 232 banking apps, stealing login credentials, hijacking SMSs, uploading contact lists and SMSs on a malicious server. *It also displays an overlay screen (to capture details) on top of legitimate apps

Even if your app had a passcode you’d just type it into the fake UI displayed by the malware and problem solved (for the bad guys that is).

I think part of the blame should be on the legacy banks who still insist that an in-app passcode somehow magically makes the underlying platform secure even against an attacker with root/superuser level access.

GalaxyMergirl · 2018-02-18 17:33:16 UTC

Legacy bank app security theatre is awful. It’s about trust. You need to trust your phone. If you don’t, throw it away and get one you do (or change whatever makes you not trust it).

garete · 2018-02-18 19:12:10 UTC

If the phone is compromised with A2f8a (which targeted India, and the 3rd party app market), it prompts you about a fake security alert and takes you to a fake login page - a better (but not really?) pretend phishing scam. You cannot draw over (correctly configured) banking apps. If you have someone targeting your unlocked phone long enough to install an app and set device administrator, then I’d be more worried about being tracked (for targeted theft) or blackmailed rather than money in the bank.

I have two gripes about only using fingerprint:

It’s not 100% reliable - there are times it refuses to read, from grease or misplacement etc.
- atm, the Monzo answer is to uninstall and reinstall the app to revert to the magic link, though the answer is hidden on this forum - how is that good design?
The reader is not always front facing on Android phones, so on a desk or mount it is awkward to unlock
Between these two factors, I would say it’s an 80/20 split for me using finger/pass

Given 100% of current hardware has a fingerprint sensor and how easy & good the Apple implementation is - no surprise?

Meanwhile, outside the iOS bubble:

Source, Alt

simonb · 2018-02-18 19:23:01 UTC

The vast majority of Monzo users on Android have devices with fingerprint sensors too. Obviously not 100% but not far off either. There’s a huge weight towards Pixel, high end Samsung and OnePlus devices.

anon44204028 · 2018-02-18 19:28:33 UTC

Despite the fact I can’t use fingertip readers due to medical problems, I never realised it would be harder to use with the reader on the rear of the phone (as mine is). I guess if it on the front and you can see what you are doing it is easier than wiggling your finger around behind the phone trying to contact a reader you can not see.